mac_apt

mac_apt is a DFIR (Digital Forensics and Incident Response) tool specifically designed to process full disk images or live machines from Mac computers. It extracts both data and metadata that are essential for conducting thorough forensic investigations.

This is a Python-based framework that includes plugins for processing various artifacts, such as Safari internet history, network interfaces, and recently accessed files. Furthermore, mac_apt now features ios_apt, which is designed for managing iOS images.

This solution is cross-platform, supports various image formats, provides outputs in XLSX, CSV, TSV, and SQLite formats, and is capable of handling compressed files.

The tool also includes native HFS and APFS parsing, reads the Spotlight database as well as Unified Logging files, and supports sealed volumes in macOS Big Sur.